IAM (Identity Access Management)
IAM allows you to manage users, groups, roles and their corresponding level of access to the AWS platform.
IAM is universal. It doesn’t apply to regions at this time.
Root account vs IAM user
The root account has full admin access and it shouldn’t be used on daily basis. Instead, an IAM user account should be used for day to day tasks.
Always select the region closest to you when beginning to work with AWS.
Adding a user to IAM
- Go to
IAM Dashboard
- Click on
Add user
- Add
User name
andAccess type: Programmatic access / AWS Management Console access
- Add
group
- Add
tags
(optional) - Create
user
Sign in as an IAM user
To sign in as an IAM user, you need the 12 digit account number. This number can be found in Users/Summary in User ARN field as arn:aws:iam::<account_number>:user/<user_name>
.
Or you can instead setup an alias for IAM users to sign in from the IAM dashboard.
The sign in URL for IAM users would look like: https://CUSTOMER_ACCOUNT_NUMBER
.signin.aws.amazon.com/console. CUSTOMER_ACCOUNT_NUMBER
can be replaced with either the alias or the account number.
AWS access types
Available methods to enable access to AWS when adding a new user:
- Programmatic access: Enables an access key ID and secret access key for dev; secret access key is only available when we first create a user
- AWS Management Console access: Enables a password to sign-in from AWS Management Console along with the user name.
Security best practices in IAM
- Delete your root access keys
- Activate MFA on your root account
- Create individual IAM users
- Use groups to assign permissions
- Apply an IAM password policy for password complexity and lifecycle management - Define a set of rules that an IAM user should follow when setting a password.
Setting permissions for a user
Different ways of setting permissions for a new user are as follows:
- Add user to group
- Copy permissions from existing user
- Attach existing policies directly
IAM Roles
IAM roles are a secure way to grant permissions to entities that you trust.
Examples of entities include the following:
- IAM user in another account
- Application code running on an EC2 instance that needs to perform actions on AWS resources
- An AWS service that needs to act on resources in your account to provide its features
- Users from a corporate directory who use identity federation with SAML(Security Assertion Markup Language 2.0)
IAM roles issue keys that are valid for short durations, making them a more secure way to grant access.
IAM Policy
An IAM policy is a JSON document which defines one or more permissions.
Testing IAM permissions
IAM Policy Simulator can be used to do the following:
- Test IAM permissions before we commit them to production
- Validate that a policy works as expected
- Test policies already attached to existing users
Key IAM Terminologies
USERS - End users
GROUPS - A collection of users under one set of permissions
ROLES - Create roles and assign them to AWS resources
POLICY - A document that defines one (or more) permissions - Can be attached to a user, a group or a role.
Top comments (0)